[EMAIL PROTECTED] writes: > The approach of tarpitting is to slow down the attacker without impacting > your network or requiring additional resources on your end to deal with > the cracker.
That is the ideal. The ideal is unachievable. > I *think* it does this by analyzing the volume of incoming > SMTP requests from the same host. I do not know if it does it this way or not but if it does then it can be circumvented. Instead of trying usernames at one domain then moving onto the next you pick a very large number of domains and try the same username at each of them before moving on to the next username. If you have multiple machines under your control (most viruses these days install remote-control backdoors) then you can get away with fewer domains. > I think its entirely appropriate to respond VERY slowly to an unknown > username request. HOWEVER, if I suddenly have a shortage of SMTPD daemons > because they are left open to service the "chkuser tarpit", and that hurts > my email service quality, then I haven't gained anything. I would rather > be fast at dumping chkuser denials and let them guess. Precisely. The problem with tarpits is that unless they block IP addresses with a large volume of authentication failures they can be turned into denial of service attacks very easily, but if they work that way then they cannot be effective against distributed attacks. And if you make them effective against distributed attacks by temporarily disabling mail connections for a domain then the tarpit can still be used as a DoS attack against that domain. -- Paul Allen Softflare Support